Awaiting feedback Building add-on skips filenames starting with dot

ivp

Active member
Affected version
2.2.13
When building the add-on hidden files (starting with dot) are not added to ZIP.

Don't see other way to be sure that some keys are not accessible publicly.
 
Last edited:
I'm not entirely opposed to changing the behavior if there's a solid use case, but this is deliberate as it stands. Typically files in the src/ directory are not publicly accessible as it is.
 
Just checked and I can see that nginx config includes:
Code:
location /src/ {
  internal;
}
and src/.htaccess:
Code:
Order deny,allow
Deny from all
So you think it is perfectly safe to have keys in regular files (not starting with dot)?
 
I'm not sure about perfectly safe. Preventing any sort of file from being served (including dot files) depends on the web server being configured correctly, but XF does expect that the src/ directory is not served. For DKIM, we store generated private keys in the internal data mount point with a random file name.

Are you distributing a private key in the add-on itself? You could also consider storing it as a string in PHP to reduce the likelihood of it being served, but I guess that depends on your exact needs.
 
Back
Top Bottom